Install a CA certificate in ColdFusion

Solve the problem that the certificate used by the connected web server, mail server, or LDAP server (OpenLDAP, Active Directory, etc.) in ColdFusion cannot communicate with the certificate issued by the private CA or the self-signed certificate. The way.

I want to know quickly

ColdFusion runs on the JVM, so you can still use the Java method of importing certificates into the cacerts keystore using the keytool command. The included Java runtime (JRE) also includes keytool.

--JRE is located in C: \ ColdFusion2018 \ jre. --cacerts The default keystore password is changeit.

Basically, if you know this much, you can get various things by google, but I tried to summarize the method in the Windows environment that I often use.

procedure

1. Prepare the certificate

Prepare the certificate file to import.

--If the server itself uses a self-signed certificate, its certificate file --If the server uses a certificate issued by a private CA, the CA's certificate file (not the server's certificate)

It seems that the file format can be any of DER (binary format), PEM (BASE64 format), P7B (PKCS # 7 format), but prepare in the commonly used PEM format.

: notebook: The file name is ʻexample-ca.cer`.

2. Batch

Since it takes time and effort to do it every time when operating or testing, make it a Windows batch.

Create a register-cert.bat file by copying and pasting the following contents in the same location as the folder where you saved example-ca.cer.

register-cert.bat


@echo off
setlocal

set JRE_HOME=C:\ColdFusion2018\jre
set CERT_FILE=%~dp0example-ca.cer
set CERT_ALIAS=example-ca

echo %CERT_FILE%Alias%CERT_ALIAS%Registering as...
"%JRE_HOME%\bin\keytool.exe" -importcert -alias "%CERT_ALIAS%" -file "%CERT_FILE%" -keystore "%JRE_HOME%\lib\security\cacerts" -storepass changeit -noprompt

echo.
pause

Also prepare a batch file for deletion when you no longer need it.

remove-cert.bat


@echo off
setlocal

set JRE_HOME=C:\ColdFusion2018\jre
set CERT_ALIAS=example-ca

echo alias%CERT_ALIAS%Is being deleted...
"%JRE_HOME%\bin\keytool.exe" -delete -alias "%CERT_ALIAS%" -keystore "%JRE_HOME%\lib\security\cacerts" -storepass changeit -noprompt

echo.
pause

: notebook: The example-ca.cer part of CERT_FILE is the file name, so change it accordingly. : notebook: The specification of CERT_ALIAS is registered as the alias name of the certificate. Use this name when deleting.

3. Folder contents

It's OK if it looks like this.

image.png

4. Register

Double-click register-cert.bat to run it.

Execution result:

C:\cert-test\example-ca.Also known as cer example-Registering as ca...
warning:To access the cacerts keystore-Use the cacerts option
Certificate added to keystore

Press any key to continue. . .

If the message "Certificate has been added to the keystore" is displayed, registration is successful.

By the way, if it is already registered, it will fail as follows.

C:\cert-test\example-ca.Registering cer...
warning:To access the cacerts keystore-Use the cacerts option
keytool error: java.lang.Exception:The certificate was not imported. alias<example-ca>Already exists

Press any key to continue. . .

5. Delete

Double-click remove-cert.bat to run it.

Execution result:

Also known as example-Deleting ca...
warning:To access the cacerts keystore-Use the cacerts option

Press any key to continue. . .

There seems to be no success message. If it is not registered, it will fail as follows.

Also known as example-Deleting ca...
warning:To access the cacerts keystore-Use the cacerts option
keytool error: java.lang.Exception:alias<example-ca>Does not exist

Press any key to continue. . .

Supplement

It seems that there are two patterns of JVM, "Java 8 based" and "Java 11 based", depending on the installation time of ColdFusion 2018.

In this environment, in Java 11, there is a warning to use the -cacerts option with keytool, but I was able to add / remove it.

It seems that the -cacerts option is exclusive with -keystore and you don't have to specify the path to the cacerts file. However, Java 8 does not have this option, so if you want to use the batch in multiple environments, it is better to specify the path in the keystore as described at present.

How to avoid warnings in Java 11

All I had to do was replace the -keystore"% JRE_HOME% \ lib \ security \ cacerts " part of each batch file with -cacerts.

References

-cfhttp Tag Reference

Recommended Posts

Install a CA certificate in ColdFusion
Install / run a standalone robot simulator in wsl2 / docker environment!
AWS CLI install in Ubuntu 20.04
Install yarn in docker image
Install the plugin in Eclipse
Multiplication in a Ruby array
Find a subset in Java
Install tomcat plugin in eclipse
Install Rails in the development environment and create a new application